Beyond Internet security to risk management

February 25, 2013

Companies fear reputation for bad security

As more companies come out of the closet about their Internet security
being compromised, still more start to admit it.
But many (perhaps most) don't even know.
Fortunately, there is a way the public can get a clue
even about those companies.

Most treat online attacks as a dirty secret best kept from customers,
shareholders and competitors, lest the disclosure sink their stock price
and tarnish them as hapless.

However, as some companies come out of the closet about this (Twitter,
Facebook, Apple, etc.) and such

revelations become more common, the threat of looking foolish fades
and more companies are seizing the opportunity to take the leap in a
crowd.

“There is a ‘hide in the noise' effect right now,”
said Alan Paller, director of research at the SANS Institute, a
nonprofit security research and education organization. “This
is a particularly good time to get out the fact that you got hacked,
because if you are one of many, it discounts the starkness of the
announcement.”

Now here's the interesting part:

“I am convinced that every company in every conceivable
industry with significant size and valuable intellectual property
and trade secrets has been compromised (or will be shortly) with the
great majority of the victims rarely discovering the intrusion or
its impact,” Dmitri Alperovitch, then McAfee's vice president
for threat research, wrote in his findings.

“In fact,” said Mr. Alperovitch, now the chief
technology officer at Crowdstrike, a security start-up, “I
divide the entire set of Fortune Global 2000 firms into two
categories: those that know they've been compromised and those that
don't yet know.”

And this:

In October 2011, the Securities and Exchange Commission issued
a new guidance that specifically outlined how publicly traded companies
should disclose online attacks, but few disclosures have come
because of it.

“Quite frankly, since then, there hasn't been an abundance of
reporting on cyberevents despite the fact that they are clearly
happening,” said Jacob Olcott, a specialist in online risks
who managed a Senate investigation into the disclosure practices.

The best hope, Mr. Olcott said, is that as investors start paying
more attention to the threats, they will demand that companies
disclose them. “I wouldn't hold my breath,” Mr. Elefant
said. “There are an awful lot of lawyers out there trying to
keep companies from exposing that these breaches are happening. And
they are happening.”

What if there was a public indicator that a company had been compromised?
It turns out there is: outbound spam,
and rankings on
Maybe companies should check their rankings before the SEC does.

Jared Diamond: Collapse: How Societies Choose to Fail or SucceedThe author examines societies from the smallest (Tikopia) to the largest (China) and why they have succeeded or failed, where failure has included warfare, poverty, depopulation, and complete extinction. He thought he could do this purely through examining how societies damaged their environments, but discovered he also had to consider climate change, hostile neighbors, trading partners, and reactions of the society to all of those, including re-evaluating how the society's basic suppositions affect survival in changed conditions.